[PATCH openEuler-1.0-LTS v2 367/771] io_uring: fix refcounting with batched allocations at OOM

From: Pavel Begunkov asml.silence@gmail.com

mainline inclusion from mainline-5.6-rc1 commit 9466f43741bc08edd7b1bee642dd6f5561091634 category: feature bugzilla: https://bugzilla.openeuler.org/show_bug.cgi?id=27 CVE: NA ---------------------------

In case of out of memory the second argument of percpu_ref_put_many() in io_submit_sqes() may evaluate into "nr - (-EAGAIN)", that is clearly wrong.

Fixes: 2b85edfc0c90 ("io_uring: batch getting pcpu references") Signed-off-by: Pavel Begunkov asml.silence@gmail.com Signed-off-by: Jens Axboe axboe@kernel.dk Signed-off-by: yangerkun yangerkun@huawei.com Reviewed-by: zhangyi (F) yi.zhang@huawei.com Signed-off-by: Cheng Jian cj.chengjian@huawei.com --- fs/io_uring.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/fs/io_uring.c b/fs/io_uring.c index 14ca1fadd7b5..d3f6e3778392 100644 --- a/fs/io_uring.c +++ b/fs/io_uring.c @@ -4772,8 +4772,11 @@ static int io_submit_sqes(struct io_ring_ctx *ctx, unsigned int nr, break; }

- if (submitted != nr) - percpu_ref_put_many(&ctx->refs, nr - submitted); + if (unlikely(submitted != nr)) { + int ref_used = (submitted == -EAGAIN) ? 0 : submitted; + + percpu_ref_put_many(&ctx->refs, nr - ref_used); + } if (link) io_queue_link_head(link); if (statep)